Working with support approved elevations

This week is all about highlighting some recent functionalities that have been introduced in Endpoint Privilege Management (EPM). The most important functionality is probably the newly supported file extensions of .msi and .ps1. That provides a larger footprint for EPM in the world of often elevated file extensions. The same experience as already known for executables. Besides that, there is more new functionality within EPM that might even be more powerful. That functionality is support approved elevations. Support approved elevations allow IT administrators to require approval before an elevation is allowed. That makes sure that when a user tries to run a file in an elevated context that the user is prompted to submit an elevation request. That request is sent to Intune for a …

Read more

Understanding enrollment restrictions for Windows devices

This week is a follow up to the post of last week. That post was focused on understanding corporate identifiers for Windows devices. A method to identify specific devices as corporate Windows devices, which is especially useful in combination with Windows Autopilot device preparation. This post will actually add-on to those corporate identifiers, by focusing on enrollment restrictions for Windows devices. Enrollment restrictions for Windows devices can be used to restrict devices from enrolling in Microsoft Intune. The main differentiators so far, however, were the ownership and OS version of the devices. But something changed in that area as well. With the assignment of device enrollment restrictions for Windows devices it’s now also possible to use specific filters. Using those filters provides more granularity in …

Read more

Understanding corporate identifiers for Windows devices

This week is sort of a follow up to the post of last week. That post was focused on understanding enrollment time grouping in Windows Autopilot device preparation. This post will focus on corporate identifiers for Windows devices. Corporate device identifiers are an important, but not required, addition to the Windows Autopilot device preparation experience. As the concept of Windows Autopilot device preparation is slightly different compared to the Windows Autopilot deployment profiles, there are also different requirements to still register a device as a corporate device. There is no longer the requirement to register devices with the Windows Autopilot deployment service. That, however, also means that there must be something different to make sure that only trusted devices can go through the Windows Autopilot …

Read more

Understanding enrollment time grouping

This week is all about one of the key features of Windows Autopilot device preparation. That feature is enrollment time grouping. Windows Autopilot device preparation itself is a new iteration of Windows Autopilot and is used to quickly set up and configure new Windows devices. So far, nothing new. The focus, however, of Windows Autopilot device preparation is to further simplify the deployment of Windows devices, by delivering consistent configurations, enhancing the overall setup speed, and improving the troubleshooting capabilities. Besides that, it also takes away the requirement of first registering Windows devices with the Windows Autopilot service. Instead the Windows Autopilot device preparation profile is assigned to users and applied after user authentication during the out-of-box experience (OOBE). That provides a much more flexible …

Read more

Managing Windows AI features

This week is all about managing the different Windows AI features that are becoming available on Window 11. Main reason to look at those configurations is triggered by the recent introduction of Windows Recall. Recall is a feature that makes snapshots of the screen and puts that in a timeline. Those snapshots are locally stored on the device. The analyses provided by Recall enables the user to search through those snapshots by using natural language. A potentially really strong feature, but also feature that an organization might want to investigate before using. Something similar is also applicable to another Windows AI feature that was introduced a bit earlier, being Windows Copilot. Besides that, another interesting Windows AI feature is Image Creator in Windows Paint. That’s …

Read more

Getting started with the Remote Help web app

This week is all about the Remote Help web app. Remote Help on itself is nothing new, but it does have an often overlooked feature that can be useful in multiple occasions. That feature is the Remote Help web app. The Remote Help web app can be used to help users on managed and unmanaged devices, without installing the Remote Help app, and in some scenarios even on Linux devices. The former might sound a little bit weird, but due to the nature of the web app, it does technically work in some scenarios to provide support on Linux. Together that makes the Remote Help web app an interesting feature to be familiar with. It is good to know that the web app only supports …

Read more

Smoothly introducing new feature updates for Windows 11 as optional updates

This week is all about a new method to smoothly introduce a new feature update within the organization. That new method is the ability to create a feature update deployment policy with the option to make the new feature update available as an optional update. By making the latest feature update, or any other feature update that eventually must be deployed, available as an optional update, the user is still in control of actually installing the update. That leaves the IT administrator in control of making the feature update available and the user in control of the installation. Doing that, adds an easy step to smoothly introducing a new feature update in the organization. Besides a smooth process, this also provides an easy start when …

Read more

Staging corporate Android devices

This week is all about the recently ability to stage Android Enterprise devices. That ability enables IT administrators to further prepare devices before actually giving them to the user. In a way, staging Android Enterprise devices is similar to pre-provisioning Windows devices. In other words, a method to prepare the device for the user and to simplify and fasten the user experience to get up-and-running. Before, the IT administrator would generate an enrollment token that could be used by the user to start the enrollment process. The user would then sign in and walk through the guided enrollment process. Now, with the staging ability, the IT administrator still generates an enrollment token, but instead of directly sharing that with the user, it’s used by the …

Read more

Combining the different layers of data security on personal Windows devices

This week is a continuation of my previous blog post about working with personal Windows devices. That post was focussed on the different options available for providing secure access to corporate data on personal Windows devices. This post is focussed on providing more details around using those different options actually as different layers in a single solution. All with the focus on providing secure access to corporate data on personal Windows devices, while still providing the user with as much flexibility and options to be productive. Besides that, using different layers of data security also enables the IT administrators to add more granularity to the solution. That makes the total solution less black-and-white. So, for example, not just block the ability of the user to …

Read more

Working with personal Windows devices

This week is kind of a follow up on my post of a couple of weeks ago about why enrolling personal Windows devices might be a really bad idea. That post was focussed on advising against allowing enrolling personal Windows devices into Microsoft Intune (or any other MDM provider). The logic follow up question would be: what are the alternatives? And that’s of course a fair question. This post will be about answering that specific question. And to be quite honest, the answer might come very close to a blog post of about four years around supporting unsupported platforms. The main difference will be what Microsoft has provided over the years. And that’s a lot, especially for the Windows platform. This post will focus on …

Read more